Flame malware coders left clues to their identities on infected servers

The attackers behind the nation-state espionage tool known as
Flame accidentally left behind tantalising clues that provide
information about their identities and that suggest the attack
began earlier and was more widespread than previously believed.

Researchers have also uncovered evidence that the attackers may
have produced at least three other pieces of malware or variants of
Flame that are still undiscovered.

The information comes from clues, including four programmers'
nicknames, that the attackers inadvertently left behind on two
command-and-control servers they used to communicate with infected
machines and steal gigabytes of data from them. The new
details about the operation were left behind despite obvious
efforts the attackers made to wipe the servers of forensic
evidence, according to reports released Monday by
researchers from Symantec in the
US and from Kaspersky Lab in
Russia.

The new clues show that work on parts of the Flame operation
began as early as December 2006, nearly six years before Flame was
discovered, and that more than 10,000 machines are believed to have
been infected with the malware.

Although the 2006 date refers to the development of code used in
the command-and-control servers and doesn't necessarily mean the
malware itself was in the wild all of this time, Vikram Thakur, a
researcher with Symantec Security Response, says the details are
still troubling.

"For us to know that a malware campaign lasted this long and was
flying under the radar for everyone in the community, it's a little
concerning," he says. "It's a very targeted attack, but it's a very
large-scale targeted attack."

The two security firms conducted the research in partnership
with BUND-CERT, the federal computer emergency response team in
Germany, and ITU-IMPACT, the cybersecurity arm of the United
Nation's International Telecommunications Union.

Although the attackers were clearly part of a sophisticated
nation-state operation, they made a number of mistakes that
resulted in traces of their activity being left behind.

According to data gleaned from the two servers the researchers
examined:

- At least four programmers developed code for the servers and
left their nicknames in the source code
- One of the servers communicated with more than 5,000 victim
machines during just a one-week period last May, suggesting the
total victims exceed 10,000
- The infections didn't occur at once, but focused on different
groups of targets in various countries at different times; one
server focused primarily on targets in Iran and Sudan
- The attackers stole massive amounts of data -- at least 5.5
gigabytes of stolen data inadvertently left behind on one of the
servers was collected in one week
- The four pieces of malware used different custom protocols to
communicate with the servers.
- The attackers used a number of means to secure their operation
as well as the data they stole -- although they left behind
gigabytes of purloined data, it was encrypted using a public key
stored in a database on the servers and an unknown private key,
preventing the researchers and anyone else without the private key
from reading it
- The attackers, perhaps suspecting that their operation was about
to be uncovered last May, attempted a cleanup operation to wipe the
Flame malware from infected machines

Flame was discovered by Kaspersky and publicly disclosed on 28
May. Kaspersky said at the time that the malware had targeted
systems in Iran, Lebanon, Syria, Sudan, Israel and the Palestinian
Territories, as well as other countries in the Middle East and
North Africa. Kaspersky estimated at the time that the malware had
infected about 1,000 machines.

The malware is highly modular and can spread via infected USB
sticks or a sophisticated exploit and man-in-the-middle attack that
hijacks the Windows Update mechanism to deliver the malware to new
victims as if it were legitimate code signed by Microsoft.

Once on machines, Flame can steal files and record keystrokes,
as well as turn on the internal microphone of a machine to record
conversations conducted over Skype or in the vicinity of the
infected computer.

Previous research on Flame conducted by Kaspersky found that
Flame had been operating in the wild undetected since at least
March 2010 and that it might have been developed in 2007.

But the new evidence indicates that development of code for the
command-and-control servers -- servers designed to communicate with
machines infected with Flame -- began at least as early as December
2006. It was created by at least four programmers, who left their
nicknames in the source code.

The Flame operation used numerous servers for its
command-and-control activities, but the researchers were able to
examine only two of them.

The first server was set up on 25 March and operated until 2
April, during which it communicated with infected machines from
5,377 unique IP addresses from more than a dozen countries. Of
these, 3,702 IP addresses were in Iran. The country with the second
largest number was Sudan, with 1,280 hits. The remaining countries
each had fewer than 100 infections.

The researchers were able to uncover the information because the
attackers had made a simple mistake.

"The attackers played with the server settings and managed to
lock themselves out of it," says Costin Raiu, senior security
researcher for Kaspersky.

Left behind on the locked server were the http server logs,
showing all of the connections that came in from infected machines.
Researchers also found about 5.7 gigabytes of data stored in a
compressed and encrypted file, which the attackers had stolen from
victims' machines.

"If their collection of six gigabytes of data in a span of ten
days in March is indicative of how prevalent their campaign was for
multiple years in the past, they probably have terabytes of
information that they collected from thousands and thousands of
people across the globe," says Symantec's Thakur.

The second server was set up on 18 May, 2012, after Kaspersky
had discovered Flame, but before the company had publicly disclosed
its existence. The server was set up specifically to deliver a kill
module, called "browse32", to
any infected machine that connected to it in order to delete any
trace of Flame on the machine. It may have been set up after the
attackers realised they'd been caught.

Raiu says the attackers may have realised Flame had been
discovered after a honeypot machine belonging to Kaspersky reached
out to the attackers' server.

"Around the 12 May, we connected a virtual machine infected by
Flame to the internet, and the virtual machine connected to the
[attackers'] command-and-control servers," he says.

Five hours after the server with the kill module was set up on
the 18 May, it received its first hit from a machine infected with
Flame. The server remained in operation only about a week,
communicating with a few hundred infected machines, says
Symantec.